|
|
|
This thread is locked; no one can reply to it.
|
1
2
|
| [Linux/UNIX] Configure /etc/sudoers to ask for password only on some command |
|
James Stanley
Member #7,275
May 2006
 |
I need to configure my /etc/sudoers file to ask for a password when running anything except /etc/init.d/ssh. At the moment I have: Defaults env_reset, env_keep = DISPLAY Cmnd_Alias SSH = /etc/init.d/ssh root ALL = (ALL) ALL james ALL = NOPASSWD: SSH How would I configure to allow everything else to require a password? Thanks. |
|
CGamesPlay
Member #2,559
July 2002
 |
james ALL = (ALL) ALL -- Ryan Patterson - <http://cgamesplay.com/> |
|
James Stanley
Member #7,275
May 2006
|
That still asks for a password on /etc/init.d/ssh. EDIT: |
|
CGamesPlay
Member #2,559
July 2002
|
You added it as a separate line? What's sudo -l say? [append] -- Ryan Patterson - <http://cgamesplay.com/> |
|
Evert
Member #794
November 2000
 |
Why do you need to be root to run ssh and why is your ssh in /etc/init.d? |
|
James Stanley
Member #7,275
May 2006
|
I replaced the line I already had with yours. Is that right? sudo -l said: User james may run the following commands on this host: You need to be root to start the SSH server. The startup script for the SSH server is in /etc/init.d because that is where it goes. To be honest, I don't entirely know why. I think it is so that init knows to run it. EDIT: sudo -V said: Sudo version 1.6.8p12 |
|
Thomas Fjellstrom
Member #476
June 2000
 |
Can't you just tell it to startup via init instead? As all daemons should be? -- |
|
James Stanley
Member #7,275
May 2006
|
It does start via init. I guess I should have explained: Occasionally I need to SSH to my computer. Also, I like to turn off the server after I have used it. But if I do that through SSH I can't get back in, so I have set up a filter in KMail. Whenever I receive an email with some special information in it, it runs sudo /etc/init.d/ssh start, then I can ssh in. Once I'm done, I send myself another email with some different data in it and it stops the server. |
|
Evert
Member #794
November 2000
|
Ah! It's called sshd on my system. |
|
James Stanley
Member #7,275
May 2006
|
Root is never logged on, so would not receive the message. Why is it not a good idea? I am the only person who uses the computer. If I find that it won't connect, I can start it, if I find it has been started by somebody then it is no different to leaving it on all the time. EDIT: |
|
CGamesPlay
Member #2,559
July 2002
|
Quote: I just prefer to use /etc/init.d/ssh to start and stop it (I don't know why). Because it's the init script, and it won't be shut down properly (automatically) if you don't. Quote: To be honest, I don't entirely know why. I think it is so that init knows to run it. Convention; sshd can be run without using that script, but you can't have it start automatically without it. Quote: Occasionally I need to SSH to my computer. Also, I like to turn off the server after I have used it. But if I do that through SSH I can't get back in, so I have set up a filter in KMail. Whenever I receive an email with some special information in it, it runs sudo /etc/init.d/ssh start, then I can ssh in. Once I'm done, I send myself another email with some different data in it and it stops the server. I hope you know you don't actually gain any security from this. Think about it logically: if someone wanted to hack into your machine, they would no doubt be monitoring your internet traffic. The email with the "special information" is sent in clear, so it can easily be reproduced (unless you are using a 1-time key, which I know you aren't Anyways, assuming you are doing it just for fun: Quote: I replaced the line I already had with yours. Is that right? No, you need to be able to access all commands, and additionally you need to be able to access ssh without a password. Stated in sudoers-ish: james ALL = (ALL) ALL james ALL = NOPASSWD: SSH
-- Ryan Patterson - <http://cgamesplay.com/> |
|
Evert
Member #794
November 2000
|
Quote: Root is never logged on So what? The message is still received by the system, you can respond to that (try man procmail, for instance). Quote: Why is it not a good idea? Because you're adding a possible vulnerability where there wasn't one before. If a normal user normally shouldn't be able to do something, then you should think twice before changing that. Quote: I am the only person who uses the computer. So why not let sshd run normally? Quote: If I find that it won't connect, I can start it, if I find it has been started by somebody then it is no different to leaving it on all the time. And if someone shuts it down while you're logged in? Quote: Yeah, the executable is called sshd on mine too. I just prefer to use /etc/init.d/ssh to start and stop it (I don't know why). That's what I meant. It's /etc/init.d/sshd on my machine. |
|
James Stanley
Member #7,275
May 2006
|
Ah! Thank you. That works. I realised I wasn't gaining much security, but it's fun and I could apply to anything else I need to start while I'm not at my computer. Anyway, thanks. EDIT: |
|
Evert
Member #794
November 2000
|
Quote: OK. Sorry if I offended you.
Where did you get that idea from? |
|
James Stanley
Member #7,275
May 2006
|
You just seemed angry, that's all. I've always been bad at judging emotion when the person isn't actually there... |
|
CGamesPlay
Member #2,559
July 2002
|
Quote: So what? The message is still received by the system, you can respond to that (try man procmail, for instance). His system isn't running an SMTP server. KMail is receiving it from his POP account. Quote: Because you're adding a possible vulnerability where there wasn't one before. James: the only vulnerability is that now any person, user or not, can activate your ssh server. Not a serious problem, in this case. -- Ryan Patterson - <http://cgamesplay.com/> |
|
James Stanley
Member #7,275
May 2006
|
Yeah, that's what I thought. The only vulnerability might be if somebody knows how to get the SSH server to edit something that allows them to elevate privileges without passwords, but that's unlikely, and they'd probably need access to the computer. |
|
CGamesPlay
Member #2,559
July 2002
|
Quote: The only vulnerability might be if somebody knows how to get the SSH server to edit something that allows them to elevate privileges without passwords, but that's unlikely, and they'd probably need access to the computer. That's a bug in ssh, and there is nothing you can do about it. Take comfort in the fact that hacking basically any other server on the net would be more profitable. -- Ryan Patterson - <http://cgamesplay.com/> |
|
James Stanley
Member #7,275
May 2006
|
Ha ha! OK. I wasn't going to worry about it. Nobody has ever tried to hack me before, anyway (AFAIK). |
|
Evert
Member #794
November 2000
|
Quote: You just seemed angry, that's all.
How so? |
|
James Stanley
Member #7,275
May 2006
|
The way you keep questioning everything I say. I don't know what I said that could have made you angry, but you seemed it. End of discussion. |
|
CGamesPlay
Member #2,559
July 2002
|
Quote: The way you keep questioning everything I say. I don't know what I said that could have made you angry, but you seemed it. A common mistake many people make when communicating online is incorrectly differentiating between being angry and being critical. Evert was just saying what he had to say without any emotion. Because that didn't agree with what you were saying, you assumed he was angry at you Arguments don't have to be angry, they can be fun! Quote: End of discussion. Hah! -- Ryan Patterson - <http://cgamesplay.com/> |
|
James Stanley
Member #7,275
May 2006
|
Wait a minute... Jan 3 16:25:07 derek sshd[20552]: Failed password for invalid user staff from 61.232.12.74 port 47970 ssh2 |
|
Thomas Fjellstrom
Member #476
June 2000
|
Thats most likely a bot scanning random computers for SSH and possible holes, to probably then install a backdoor for sending spam -- |
|
Evert
Member #794
November 2000
|
I get those. I think it would be possible to disable remote root logins if you're worried about that; it's something I've been meaning to look into but haven't got round to yet. |
|
|
1
2
|
). Your SSH server itself is more secure than any email; why not just run it? If resources are a problem, run it using inetd.
